Merge pull request #606 from Shopify/rd/fix-publish

robin-drexler · web-flow · commit 4873d1b1f141 · 2026-04-27T13:56:15.000-04:00
prepare for OIDC
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -18,11 +18,14 @@ jobs:
     needs: [checks]
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
+      id-token: write # Required for OIDC authentication
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: ./.github/workflows/actions/prepare
       - run: pnpm run type-check
       - run: pnpm run build
       - run: pnpm run deploy
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: '' # Empty string forces OIDC
diff --git a/.github/workflows/preview-versions.yml b/.github/workflows/preview-versions.yml
@@ -11,6 +11,9 @@ jobs:
     name: Preview 🔮
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
+      id-token: write # Required for OIDC authentication
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: ./.github/workflows/actions/prepare
@@ -33,4 +36,4 @@ jobs:
           pnpm changeset publish --tag preview --no-git-tag
         env:
           GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: '' # Empty string forces OIDC
